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[57] ABSTRACT 

A method of managing access to a distributive network 
provides both time and site access restraints for users or 
groups of users on a LAN or WAN adapted for accessing the 
network through a common network access interface sys- 
tem. The method utilizes the LAN server to develop and 
monitor the constraints, minimizing the utilization of the 
access interface system. The management parameters for 
each group or individual having access to the distributive 
network via the LAN or WAN is entered into the interface 
box by the administrator as a compact reference, a series of 
pointers to the larger database of users and groups stored in 
the existing LAN server directory services. The existing 
database of users and groups and their relationships exist 
already in the LAN servers as a normal consequence of LAN 
operation and a simple, graphical user interface in the 
preferred embodiment of the invention permits familiar 
selection of objects of that database and assignment of 
access constraints. 

29 Claims, 5 Drawing Sheets 
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SYSTEM FOR CONTROLLING USERS firewalls are designed to negotiate the management of the 

ACCESS TO A DISTRIBUTIVE NETWORK Internet IP addressing both within and without. 

IN ACCORDANCE WITH CONSTRAINTS The rapid dissemination of access to the Internet has 

PRESENT IN COMMON ACCESS brought the requirements to networks consisting only of PCs 

DISTRIBUTIVE NETWORK INTERFACE 5 typically running only PC operating systems such as 

SEPARATE FROM A SERVER WINDOWS, WINDOWS-95, and NT. These are single user 

workstations and which have, themselves, a completely 
separate database of users and groups designed for access 



BACKGROUND OF INVENTION 



1. Field of Invention within the network, the LAN, itself, to the PC LAN's own 
The subject invention is generally related to access sys- 10 resources such as local file access and printer access. These 
terns for connecting the users on a LAN or WAN to a LANs were designed without knowledge of and without 
distributive network such as, by way of example, corporate preparation for interfacing with the Internet. In fact, they 
intranets and the Internet, and is specifically directed to a operate normally on protocols which are incompatible with 
method for managing and controlling access to the network have no addressing for Internet interfacing, 
under both time and category constraints. 15 The prior art extends Internet IP addressing as an addi- 
2 Description of the Prior Art tional network interface addressing each of the LAN PC 
Distributive networks such as, by way of example, the workstations and treating the Intemet-address-enhanced PCs 
Internet, for interconnecting computers are well known. as .^ traditional host UNIX networked computers, 
Such networks permit remote and distributed computers to 2Q Wlth firewa11 techniques managing the Internet interface, 
communicate with each other over public communication Therefore, a need for a reliable, versatile administration 
channels. Over the years, use of such networks for research system for controlling and monitoring access to distributive 
and for communication via E-mail, file transfer, interactive network sites by either individual or groups of PC users on 
World Wide Web browsing and the like has become wide- * LAN or WAN within the capabilities of the administration 
spread. As such use has become commonplace in the work „ capacity of the personnel normally managing the original 
environment, individual users and user groups have access mechanisms and purposes for which it was designed and to 
to the world wide web via their workstation PC's. While do so with the management architecture already established, 
greatly facilitating the capability of each worker at a PC SUMMARY OF THE INVENTION 
workstation, such access has greatly complicated manage- 
ment of the worker. Systems to control both site and time 30 The subject invention is directed to a method for easily 
access to the web have become essential management tools controlling access to a distributive network by an individual 
to assure that only authorized users are interacting with user or groups of users both with respect to site address and 
facilities over the Internet during authorized time periods for services to be accessed and to the time periods when access 
legitimate, authorized purposes. is authorized from within the already established user man- 
Numerous policing techniques have been attempted in the 35 ag ? ment datab f aS f ^f™^ established t0 CODtro1 the ori ^ 
past, but all require burdensome administrative procedures nal P ur P ose ot toe LAN. 

and lack the fine ability to discriminate between legitimate The method of the subject invention permits administra- 

and undesirable use and are, in addition, implemented od lion of the use of the distributive network by providing 

additional hardware which carries significant expense. Man- management with the tools to not only define and control 

agement and control of user access to the Internet has been 4Q authorized use, but also to maintain a complete access log to 

traditionally implemented as an outgrowth of firewall tech- determine actual usage by each user on a LAN or WAN 

nology. Firewall technology involves a hardware device based upon the existing LAN management architecture, 

placed between the LAN which is supporting the worksta- The preferred embodiment of the subject invention uti- 

tions and computers and the Internet. The purpose of a lizes an access interface system or box associated with the 

firewall is to prevent outside, that is, other Internet comput- 45 distributive network, whereby access to the distributive 

ers and workstations, from gaining access to and damaging network by each of the plurality of PCs on the LAN or WAN 

or capturing control of the internal LAN computers and their is through the common access box without requiring the 

data. As access to the Internet from within the LAN additional Internet IP addressing to be added to each LAN 

expanded to the general employee population and their PC. This permits the box to identify the individual user or 

workstations from the previously well-controlled group of 50 the user group through the native identification of the LAN 

computer specialists, the management of the access to the and to implement the administration system. 

Internet became an additional requirement. A significant advantage of the system of the subject 

The technology of the firewall to control access between invention is that the management parameters for each group 

computers within and without the local LAN is through the or individual having access to the distributive network via 

use of Internet addressing, IP addresses are normally 55 the LAN or WAN is entered into the box by the adminis- 

required of every computer connected to the Internet. Tables trator as a compact reference, a series of pointers to the 

are established of internal and external computer addresses larger database of users and groups stored in the existing 

both individually and in contiguous groups, domains, and LAN server directory services. The existing database of 

permissions are assigned to the allowed connectivity. The users and groups and their relationships exist already in the 

complexity becomes much greater as the expanded utility of eo LAN servers as a normal consequence of LAN operation 

the Internet requires the identification of users as well as and a simple, graphical user interface in the preferred 

services at the various computers and permissions more embodiment of the invention permits familiar selection of 

finely identified even within addresses. objects of that database and assignment of Internet access 

Firewall technology is built upon the perspective of the constraints, 

traditional computers used to build and operate the Internet, 65 Furthermore, the processing of the access control is 

UNIX-based processors. These processors network together undertaken by the individual LAN PC, itself, after first 

with the very protocols used by the Internet, TCP/IP and the verifying its identity through the LAN PC authenticating 
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itself against the native LAN login and authentication. The 
individual PC, after the authentication of its identity by the 
normal LAN mechanisms, accesses the access control 
parameters assigned to that user or group from the box 
where it has been stored and the special box access module, 
itself, screens and controls Internet access for that PC user 
and updates the log files and metering parameters by updat- 
ing those pieces of information stored in a secure place in the 
box. 

Therefore, capacity is not limited since the capacity for 
identification of groups and/or individuals is maintained in 
the normal LAN directory management and the control 
overhead of these users and groups expands with the addi- 
tion of PCs on the LAN or WAN, each controlling its own 
access constraints and updating the log of its own access 
events. 

One example of an access product having the capability of 
providing common access to a distributive network and 
through which managed access may be implemented is the 
Instant Internet system offered by Performance Technology, 
Inc., San Antonio, Tex. The Instant Internet product is 
specifically designed for PC networks and enables all LAN 
users to simultaneously access a distributive network such as 
a corporate intranet, the Internet, or both, through a common 
interface or box. The box is an ideal location to be the focus 
of the monitor and control use by each user on the LAN. 

In the preferred embodiment of the subject invention, the 
administration system is capable of utilizing the native LAN 
identification of users, the group or groups to which each 
user is defined, and for authorizing for each user so identi- 
fied the specific Internet destinations and services to which 
the user has access and the time and day during which the 
access is authorized. For example, if user PC LAN user A is 
assigned to the PC LAN group 1, user A will have access to 
Internet destinations and services for which group 1 has 
authorization. Further, the time to which access is allowed is 
controlled. For example, user A may have access to only 
limited addresses during the hours of 9:00 a.m. to 12:00 a.m. 
and 1:00 p.m. to 5:00 p.m., with unlimited access from 7:00 
a.m. to 9:00 a.m. and 5:00 p.m. to 7:00 p.m. and no access 
at all from 7:00 p.m. to midnight and from midnight to 7:00 
a.m. This can be accomplished simply by assigning group 
parameters at a PC workstation on the LAN as Group 1 
parameters. 

In the preferred embodiment, the group access constraint 
parameters are stored at the access box. The PC, itself, using 
the authentication mechanism inherent in the relationship 
between the PC and the network's native security system, 
identifies itself as user A and as a member of Group 1 to the 
module installed in the PC which is designed to provide 
Internet access through the box. Upon each attempted access 
to an Internet site and/or service, the access module in the 
box authenticates the permission of user A/group 1 to that 
site/service by reading the constraints associated with user 
A/group 1 from the reference pointers stored in the box for 
user A/group 1. 

It is an important feature of the subject invention that the 
administration system includes a method for maintaining a 
log of each user's actual access and use of various destina- 
tions and services on the Internet. For example, user A may 
browse an authorized library of files from 9:00 to 9:15 and 
then access an authorized news service from 11:02 to 11:27. 
User A may also access an entertainment program from 
12:00 noon to 1 :00 p.m. The method of the subject invention 
will provide a management log identifying each user and the 
specific sites addressed and utilized. This provides a man- 
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agement tool for determining efficient and appropriate use of 
the distributive network during working hours and at 
employer expense. It is also of value for cost analysis 
purposes for specific projects to which the user is assigned. 

5 In the preferred embodiment, when the administration 
system is installed on the LAN or WAN, all network users 
default to unlimited access. Where access is not required to 
be limited, the LAN or WAN operates as if the administra- 
tion system is not present and will not interfere with the 

10 normal operation of each user. The logging function is active 
for management auditing of the actual user of the distribu- 
tive network accessing system. The method of the preferred 
embodiment allows access to be assigned on a user or group 
basis, where desired. Users in a group will have access to a 
particular set of network resources. Whenever access is 

15 changed for the group, access for every user in the group is 
simultaneously changed. A user may be a member of several 
groups, with each group assigned different access param- 
eters. In this case, the system defaults the user to the 
combined access restrictive of all of the group memberships. 

20 The preferred embodiment of the invention is Windows 
compatible with a point-and-click methodology used to 
define groups, users and authorized parameters. Users may 
be assigned to one or more groups and moved from group to 
group using the point-and-click method. Parameters may be 
initially assigned or altered for each group using a single 
screen access, permitting simple implementation of the 
administration system with a minimum of training. 

In the preferred embodiment, the constraints to Internet 

30 destinations and services utilize a unique allow/disallow 
wild-card specification of the destinations and services to be 
accessed. This mechanism permits broad freedom of access 
to acceptable destinations and services and easy specifica- 
tion of those unacceptable. The specification "wild card" 

35 entries are identified as stars, *, and can be entered at any 
point in an Internet destination either in text domain name 
(i.e. *. microsoft.com) or in numeric specification (i.e. 
144.228.*.*), in services (WWW or FTP or *) and even in 
newsgroups (*.sex.* which identifies access to any news- 

4Q group with the intermediate specifier SEX anywhere in the 
hierarchical specification name). The specifications with or 
without wild card stars may be identified as ALLOW or 
DISALLOW statements and are intended to be used together 
to forge a comprehensive yet easily specifiable constraint 

45 system. 

Also in the preferred embodiment, each user or group is 
identified as an icon, with each group being depicted as a 
folder and each user depicted as a figure. To add or change 
user access, a folder is selected and the "Change" box 

50 provided on the toolbar is clicked to bring up the Setting 
window, displaying the user or group parameters. The 
administrator can then disable or enable a user or group, 
change access, or change time of access. 
The subject invention provides a wide administrative 

55 function for controlling and managing access to distributive 
networks by individual users or users assigned to a group on 
a LAN or WAN system. This greatly increases the efficiency 
of the workplace and minimizes unauthorized use, reducing 
non-productive time and the access costs associated there- 

60 with- 
it is, therefore, an object and feature of the subject 
invention to provide a method of administration of distribu- 
tive network use by a user on a LAN or WAN. 

It is also an object and feature of the subject invention to 
65 provide a method for controlling the authorized destinations 
and services and the authorized time and day of access to a 
distributive network by each user/group on a LAN or WAN. 
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It is a further object and feature to provide a log of users 
and sites accessed on a distributive network by each user on 
a LAN or WAN. 

It is yet another object and feature of the invention to 
utilize the memory and processing power of each of the PCs 
on the LAN or WAN to authenticate the user/group identity 
through the native LAN login name/password authentication 
system. The management system is, thereby, expandable 
with the LAN or WAN and does not rely on the single 
network access system device to form the capacity. 

Other objects and features of the invention will be readily 
apparent from the accompanying drawings and description. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a flow chart showing a system diagram incor- 
porating the features of the subject invention. 

FIG. 2 is a representative screen showing the user and 
group identifiers. 

FIG. 3 is a representative screen showing the group 
listings. 

FIG. 4 is a representative screen showing a specific 
selected user and or group access parameters and log enable/ 
disable. 

FIG. 5 is a representative screen showing time manage- 
ment matrix. 

FIG. 6 is a representative screen showing a typical site 
management regimen. 

FIG. 7 is a representative host screen for adding IP 
addresses or port numbers to a group or user. 

FIG. 8 is a typical printed log report. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENT 

A typical network system adapted for incorporating the 
administration system and method of the subject invention is 
shown in FIG. 1. A local access network or LAN 10 includes 
a plurality of workstation PCs 12, a network server 14 such 
as, by way of example a Novell server, and a distributive 
network access interface or box 16 such as, by way of 
example an Instant Internet access system. The network 
access interface box 16 permits each PC on the LAN to 
connect to a distributive network 18, such as, by way of 
example the Internet. In the preferred embodiment of the 
invention, the software for managing the administration 
system is installed in the server 14. This stores the infor- 
mation defining each individual user and the groups avail- 
able for user assignment. The group constraints may be 
customized on site and on demand, with users being capable 
of being assigned to any of one or more groups at any time 
by the authorized administrator. All of this information is 
stored and manipulated at the server location, minimizing 
the use of access box memory capacity. This permits ready 
expansion of the administration system without requiring 
upgrade of the access box 16. That is, the administration 
system is capable of supporting the number of users and PCs 
supported by the server 10 and is not dependent upon the 
capacity of the access box 16. 

As shown by the information flow arrows in FIG. 1, a 
typical user "logs on" to the network 10 in the well known 
manner by entering his I.D. or password to the server 14 
from any one of the plurality of PCs 12 on the LAN network, 
as indicated by the arrow 19. The server 14 then grants LAN 
access by properly identifying and authenticating the user, as 
indicated by the double arrow 20, The server also identifies 
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what group the user is assigned to, as indicated by the arrow 
21. Only the constraints for this group I.D. are then entered 
at the access box 16, as indicated by the arrow 22. As also 
indicated by the arrow 22, the administrator provides the 

5 access box with constraints for each group when stationed at 
any PC having properly authenticated himself to the box as 
the box administrator by name and password. When the user 
desires to access the distributive network 18 via the access 
box 16, his group is identified and the constraints assigned 

1Q to the group are implemented, controlling access within both 
destination and service parameters as well as time param- 
eters. 

Using a Novell server and an Instant Internet access 
system as an example, the Instant Internet system uses the 

15 NetWare user names and groups. Each of the users assigned 
to a group have access to a particular set of distributive 
network resources. When resource access is changed for the 
group, access for every user in the group is simultaneously 
changed. A group may have as many users as desired or as 

20 few as one user to be active. A user may be a member of 
several groups, with each group assigned different access 
parameters. In the preferred embodiment, the user only has 
access to the parameters of the most restrictive group to 
which he is assigned. Also in the preferred embodiment, any 

25 individual user may be exempted from all user and group 
constraints and specific individual constraints may be 
applied. 

The software is Windows compatible, making the admin- 
istrative function a simple point-and-click routine. Atypical 

30 administration set up screen is shown in FIG. 2, displaying 
all of the users on the LAN. As there shown, all of the 
individual users, 24, 25, 26, 27 ... n, are displayed as user 
icons or figures in the "List of Users" box 23. When a 
specific user 27, "Admin", is clicked "on", all of the groups 

35 for the LAN are identified in the two boxes 28, 32 below the 
user box 23. The first group box 28, "Groups the User is In", 
lists only those groups to which the user has access, e.g., the 
"Admin" group 29 and the "Everyone" group 30. In the 
example, the user 27 is a generic administrative employee. 

40 Since this automatically puts him in the "Admin" group 29 
he would have access to all "Admin" group parameters. 
However, since he is not better identified, he is also assigned 
to the most restrictive "Everyone" group 30. As demon- 
strated by the tool bar 36, users (via their icons) may be 

45 added and deleted on this screen. Further, each specific user 
may be assigned to or removed from a specific group by 
simply moving the specific group to the selected of boxes 28 
and 32. 

FIG. 3 depicts the inverse of the screen in FIG. 2 and 

50 shows the administrative setup of the example with the 
groups as the primary criteria. All of the example group 
icons 29,30, 33, 34, 35 are displayed in the "List of Groups" 
box or window 40. When a specific group icon such as the 
"Everyone" group is clicked "on", all of the user icons for 

55 the users assigned to that group are displayed in the "Users 
in Group" box or window 41. The icons for the users not 
assigned to the specific group 30 are displayed in the "Users 
not in Group" box or window 42. Users may be reassigned 
to various groups on this screen by simply moving the users 

60 into or out of window 41. As demonstrated by the tool bar 
44, new groups may be added or deleted on this screen. 

To change the settings for a particular user ANDY, as 
indicated by the user icon 25, see FIGS. 2 and 3, the user 
icon is simply double clicked "on", bringing up the screen 

65 depicted in FIG. 4. Within window 46, the selected user's 
name and access parameters are displayed. The administra- 
tor uses this screen to disable a user or group (deny access) 
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at box 94, ignore group settings at box 92, control the in black. For controlled access, the selected hours and days 
logging function at box 82, change the user access by of the week are clicked on by clicking the associated matrix 
clicking "on" box 84, and change network access by clicking block. Internet access is then limited to those times and days 
"on" box 86, as well as News Groups (box 88) and Listen only. Users attempting to remain connected past the permit- 
Ports (box 90). An administrator can specify levels of access 5 ted time are disconnected. 

to the network for each group or user. Access control is one i n addition to the User Access (time and day) 

of the primary features of the subject invention. IP administration, the preferred embodiment of the invention is 

addresses, domain names and port numbers for which users adapted for controlling the specific IP Addresses and Port 

can gain distributive network access are specified by the Numbers for each user and/or user group. This is done by 

administrator, providing a wide range of control. 10 activating the screen depicted in FIG. 6, by clicking on the 

Using the Internet as an example, the Internet utilizes: IP "Internet Access" box 86 of FIG. 4. In the example, access 

Addresses, Domain Names and Port Numbers (which are is controlled by group identity. For the group "Admin", all 

services). All connections to the Internet are made using members of the group have access to the IP Addresses and 

Internet Protocol (IP) Addresses. The IP Addresses allow Port Numbers displayed in window 70 of FIG. 6, and 

communication over the Internet to be directed to an appro- 15 marked by the check. Those marked with "x" are not 

priate destination. Each IP Address consists of the actual IP accessible. "*.*" specifies total Internet access, "www.per- 

address location and a Port Number. The IP Address is in the ftech.com:*" specifies access to all Ports at this specific IP 

format "nnn.nnn.nnn.nnn". From one to three digits can be Address only. "198.*" specifies access to all Ports at all IP 

used between each decimal point in the address, for example addresses beginning with "198". "*:80" specifies access 

198.67.8.99:80. Domain Names are readable versions of IP 20 only to Port 80 at all IP Addresses, 
address, such as "perftech.com" or "instant.net". FpJ^ The window 70 can be modified by entering the appro - 
ex^r^Jlw^vw.perftech:com^cquals-" 198:67:8.99^Port- :> pri ate changes in the window, as will now be described. The 

\j~Numbers c cj^J>ecaiiyrfiumber from 0 to 32000, with the first administration system of the preferred embodiment allows 

Wo^^called^ "well Jyiown" Port Numbers which define for the addition of IP Addresses or Port Numbers to a group 
^pecific^ste^(e^wb browsing occurs on the "welk25 or user access control list. To accomplish this, the admin- 
known"~port number 80; file transfer protocols (FTP) use] istrator first selects the group folder by double clicking "on" 

port 20 and port 21; simple mail transfer protocols -(SMTP) the appropriate group folder icon 29, 30, 33, 34, 35 in the 

use port 25).^_____ — — — ^ screen of either FIG. 2 or FIG. 3. This brings up the "Add 

Using'thTInteraet example in conjunction with the Instant Internet Access" screen depicted in FIG. 7. A specific 
Internet access system, when access is attempted, the Instant 30 address may be typed in at the "IP Address" window 72 and 
Internet access interface 16 (see FIG. 1) checks the access all or specific Port Numbers entered at the "Port" window 
list for the particular user to determine whether or not access 74. A host name may also be specified, as indicated at box 
to the address is permitted. The administration system of the 76. This address/host may be allowed or disallowed for the 
subject invention sorts all access controls in the following specific group by clicking the appropriate box 78 or 80. The 
manner: 35 administrator may also log and review a user's actual access 
Day of Week and Time of Day (User Access, see box 84 in accordance with the preferred embodiment of the subject 
in FIG. 4), invention. To accomplish this, the administrator selects and 
Wildcard Port Numbers (*.ftp) (Internet Access, see box clicks the "effect" button on the tool bar of FIG. 1 or 2, after 
86 in FIG. 4)— the example "*.ftp" means that the user can 4Q a specific user icon has been selected, 
initiate the file transfer protocol to any address he has access. This brings up the screen depicted in FIG. 4. Logging may 
Fully Specified Address (Internet Access)— the user is be enabled/disabled simply by clicking the "Enable Log- 
given the address and the specific Port Numbers to be ging 5 ' box 82. This screen also provides direct access to the 
activated at that address various authorized addresses for the selected user, as inch- 
Partially Specified Address (Internet Access)-the user is 45 C4,ed boxes ,f 4 ' ^'J 1 * ^° b » 
given parameters limiting access to specific ports at a given 8™^ ™ acce j*> b V clickln 8 the . "Jp»» S™P 
ddress or denied an ? acccss bv clicking the "Disable" box 
3 J,? SS * L „ a • * a u vi- 94. When the "Enable Logging" box 82 is activated, a 
When the User Access option is activated by clicking i * ? > f #u« t„^™* ; r 

„ « oa c *u a • * a • mr- a \u~ o complete log of the selected user s usage of the Internet is 

"on box 84 of the screen depicted in FIG. 4, the screen t ' d 

depicted in FIG. 5 is brought up. This permits the admin- 50 maintamea 

istrator to specify days of the week and times during the day A l yP ical P rinted re P ort 15 shown m FIG - 8 ^ date 15 

when users may access the Internet. As shown in FIG. 5, shown in the first column 100. The time an action was taken 

once the User Access box 84 of FIG. 4 is clicked "on" the is shown in column 102. Column 104 identifies sequence 

selected user's access screen is brought up. The days of the when initiated, as will be explained. Column 106 identified 

week and one hour blocks are displayed in matrix form in 55 the user. Column 108 identifies the task. For example, as 

window 60. The administrator can then select "All" by shown at entry 110, User "Herb" initiated access to the 

clicking on box 62, none by clicking on box 64, or controlled internet at 14:06:42 on Jun. 19, 1996. Herb connected to 

by clicking on box 66. In the preferred embodiment a "Not socket 2001 at 14:07:24, as shown at entry 112. Herb is the 

Set" function (box 68) is also provided. This permits the second user in sequence to initiate access on Jun. 19, 1996. 

administrator to combine several groups into a main group 60 Rod initiated contact as the third user at 14:07:58, see entry 

while maintaining access as identified in the original or 114. Since Herb had continuing activity after Rod, see entry 

sub-groups. When the appropriate box 62, 64, 66, 68 is 116, he is still listed as second sequence. As shown at entry 

clicked on, the administrator can set the specific times for U8> Rod disconnects. When he reconnects at entry 120, this 

the user. A color coded scheme is used in conjunction with begins a new sequence 4. 

the matrix of the preferred embodiment, with all access 65 The subject invention provides a comprehensive admin- 
hours and days displayed in green, controlled access hours istration system for controlling access to a distributive 
and days in dark blue and access hours "not set" displayed network through a common access system by LAN or WAN 
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users. While the English language algorithms depicted 
herein have been specifically described for use in a windows 
environment, it will be readily understood by those of 
ordinary skill in the art that the administration and control 
method described herein may be adapted for other environ- 
ments without departing from the teachings of the invention. 
While specific features and embodiments of the invention 
have been described in detail herein, it will be readily 
understood that the invention encompasses all enhance- 
ments and modifications within the scope and spirit of the 
following claims. 
What is claimed is: 

1. A method for controlling access to a distributive 
network by users and user groups utilizing personal com- 
puters (PCs) on a local area network (LAN) comprising: 

utilizing a server for centralized, common access by the 
PCs on the LAN; 

establishing a database for the server to identify users and 
user group assignments for the LAN, the database 
including users and user groups native to normal LAN 
operation, each user group comprising one or more 
users; 

establishing a common access distributive network inter- 
face separate from the server and communicatively 
coupling the LAN to the distributive network without 
directly connecting through the server; 

programming user and user group control parameters into 
the database at the server, including constraints for 
access by users and user groups to the distributive 
network; 

transferring the constraints to the distributive network 
interface; and 

controlling access to the distributive network for a par- 
ticular user at the distributive network interface without 
routing the particular user's access through the server 
and in accordance with the constraints present in the 
distributive network interface for the particular user or 
the group to which the particular user is assigned. 

2. The method of claim 1, further including defining a 
plurality of groups each having a unique set of parameters. 

3. The method of claim 2, further including assigning a 
user to multiple groups. 

4. The method of claim 3, wherein distributive network 
access by said user is limited to the parameters of the 
combined access restrictions of all the group memberships 
to which the user is assigned. 

5. The method of claim 1, wherein each group is assigned 
a time parameter for defining specific time blocks during 
which the user may gain access to the distributive network 
via the central, common access distributive network inter- 
face. 

6. The method of claim 5, further including disconnecting 
users attempting to remain connected outside the specific 
time blocks. 

7. The method of claim 1, wherein the parameters include 
specific distributive network destinations and services to 
which the user may gain access on the distributive network 
via the central, common access distributive network inter- 
face. 

8. The method of claim 7, wherein each distributive 
network destination and service is an address defined by an 
address locator and a port number, and wherein each group 
includes an address parameter to which is assigned a com- 
bination of specified address locators and specified port 
numbers. 

9. The method of claim 8, wherein the address parameter 
includes all address locators with specific port numbers. 
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10. The method of claim 8, wherein the address parameter 
includes all specific address locators with all port numbers. 

U. The method of claim 1, including logging of actual 
user access to the distributive network. 
5 12. The method of claim 11, wherein the logging further 
includes maintaining a log of the time blocks when accessed 
and the distributive network locators accessed. 

13. The method of claim 12, wherein the logging further 
includes maintaining a log of the port numbers accessed. 
1Q 14. The method of claim 12, wherein the logging further 
includes the reverse name lookup of each IP address to 
display in the log the name of the accessed domain rather 
than only the numeric IP address. 

15. A storage medium having therein a plurality of pro- 
15 gramming instructions which, when executed by a 

processor, implement a service for controlling access of 
users on a local area network (LAN) to a distributive 
network, the service including a function for: 
accessing a database of a server for centralized, common 
20 access by personal computers (PCs) on the LAN to 
identify users and user group assignments native to the 
normal LAN operation, each user group comprising 
one or more users; 
assigning user and user group control parameters into the 
25 database at the server, including constraints for access 
by users and user groups to the distributive network; 
transferring the constraints to a distributed network inter- 
face which is separate from the server, the distributed 
network interface providing a communicative coupling 
30 of the LAN to the distributive network without directly 
connecting through the server; and 
controlling access to the distributive network for a par- 
ticular user at the distributive network interface without 
routing the particular user's access through the server 
35 and in accordance with the constraints present in the 
distributive network interface for the particular user or 
the group to which the particular user is assigned. 

16. The storage medium of claim 15, wherein the function 
is further for defining a plurality of groups each having a 

40 unique set of parameters. 

17. The storage medium of claim 15, wherein each group 
is assigned a time parameter for defining specific time 
blocks during which the user may gain access to the dis- 
tributive network. 

45 18. The storage medium of claim 17, wherein the function 
is further for disconnecting users attempting to remain 
connected outside the specific time blocks. 

19. The storage medium of claim 15, wherein the param- 
eters include specific distributive network sites to which the 

50 user may gain access on the distributive network. 

20. The storage medium of claim 19, wherein each 
distributive network destination or service is an address 
defined by an address locator and a port number, and 
wherein each group includes an address parameter to which 

55 is assigned a combination of specified address locators and 
specified port numbers. 

21. The storage medium of claim 15, wherein each 
distributive network access to a newsgroup is defined by the 
hierarchical newsgroup name and access constraints are 

60 forged by floating text strings for allow or disallow of 
access. 

22. The storage medium of claim 15, wherein the function 
is further for logging of actual user access to the distributive 
network. 

65 23. The storage medium of claim 22, wherein the logging 
further includes maintaining a log of the time blocks when 
accessed and the distributive network locators accessed. 
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24. The storage medium of claim 22, wherein the logging 
further includes maintaining a log of the port numbers 
accessed. 

25. An apparatus comprising: 

a storage medium having stored therein a plurality of 5 
programming instructions; and 

an execution unit, coupled to the storage medium, to 
execute the programming instructions to, 

access a database of a server for centralized, common 
access by personal computers (PCs) on a local area 
network (LAN) to identify users and user group assign- 
ments native to the normal LAN operation, each user 
group comprising one or more users, 

assign user and user group control parameters into the ^ 
database at the server, including constraints for access 
by users and user groups to a distributive network, 

transfer the constraints to a distributed network interface 
which is separate from the server, the distributed net- 
work interface providing a communicative coupling of 20 
the LAN to the distributive network without directly 
connecting through the server, 
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control access to the distributive network for a particular 
user at the distributive network interface without rout- 
ing the particular user's access through the server and 
in accordance with the constraints present in the dis- 
tributive network interface for the particular user or the 
group to which the particular user is assigned. 

26. The apparatus of claim 25, wherein each group is 
assigned a time parameter for defining specific time blocks 
during which the user may gain access. 

27. The apparatus of claim 25, wherein the parameters 
include specific Internet addresses and ports to which the 
user may gain access. 

28. The apparatus of claim 25, wherein the execution unit 
is further to execute the programming instructions to main- 
tain a log of actual user access to the Internet. 

29. The apparatus of claim 28, wherein the execution unit 
is further to execute the programming instructions to include 
a log of the time blocks when accessed and the distributive 
network locators accessed. 

* * * * * 
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